- -------------------------------------------------------------------------
Debian Security Advisory DSA-4187-1                   security@debian.org
https://www.debian.org/security/                            Ben Hutchings
May 01, 2018                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : linux
CVE ID         : CVE-2015-9016 CVE-2017-0861 CVE-2017-5715 CVE-2017-5753
                 CVE-2017-13166 CVE-2017-13220 CVE-2017-16526 CVE-2017-16911
                 CVE-2017-16912 CVE-2017-16913 CVE-2017-16914 CVE-2017-18017
                 CVE-2017-18203 CVE-2017-18216 CVE-2017-18232 CVE-2017-18241
                 CVE-2018-1066 CVE-2018-1068 CVE-2018-1092 CVE-2018-5332
                 CVE-2018-5333 CVE-2018-5750 CVE-2018-5803 CVE-2018-6927
                 CVE-2018-7492 CVE-2018-7566 CVE-2018-7740 CVE-2018-7757
                 CVE-2018-7995 CVE-2018-8781 CVE-2018-8822 CVE-2018-1000004
                 CVE-2018-1000199

Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

CVE-2015-9016

    Ming Lei reported a race condition in the multiqueue block layer
    (blk-mq).  On a system with a driver using blk-mq (mtip32xx,
    null_blk, or virtio_blk), a local user might be able to use this
    for denial of service or possibly for privilege escalation.

CVE-2017-0861

    Robb Glasser reported a potential use-after-free in the ALSA (sound)
    PCM core.  We believe this was not possible in practice.

CVE-2017-5715

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 2 (branch
    target injection) and is mitigated for the x86 architecture (amd64
    and i386) by using the "retpoline" compiler feature which allows
    indirect branches to be isolated from speculative execution.

CVE-2017-5753

    Multiple researchers have discovered a vulnerability in various
    processors supporting speculative execution, enabling an attacker
    controlling an unprivileged process to read memory from arbitrary
    addresses, including from the kernel and all other processes
    running on the system.

    This specific attack has been named Spectre variant 1
    (bounds-check bypass) and is mitigated by identifying vulnerable
    code sections (array bounds checking followed by array access) and
    replacing the array access with the speculation-safe
    array_index_nospec() function.

    More use sites will be added over time.

CVE-2017-13166

    A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
    code has been found. Memory protections ensuring user-provided
    buffers always point to userland memory were disabled, allowing
    destination addresses to be in kernel space. On a 64-bit kernel a
    local user with access to a suitable video device can exploit this
    to overwrite kernel memory, leading to privilege escalation.

CVE-2017-13220

    Al Viro reported that the Bluetooth HIDP implementation could
    dereference a pointer before performing the necessary type check.
    A local user could use this to cause a denial of service.

CVE-2017-16526

    Andrey Konovalov reported that the UWB subsystem may dereference
    an invalid pointer in an error case.  A local user might be able
    to use this for denial of service.

CVE-2017-16911

    Secunia Research reported that the USB/IP vhci_hcd driver exposed
    kernel heap addresses to local users.  This information could aid the
    exploitation of other vulnerabilities.

CVE-2017-16912

    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading
    to an out-of-bounds read.  A remote user able to connect to the
    USB/IP server could use this for denial of service.

CVE-2017-16913

    Secunia Research reported that the USB/IP stub driver failed to
    perform a range check on a received packet header field, leading
    to excessive memory allocation.  A remote user able to connect to
    the USB/IP server could use this for denial of service.

CVE-2017-16914

    Secunia Research reported that the USB/IP stub driver failed to
    check for an invalid combination of fields in a received packet,
    leading to a null pointer dereference.  A remote user able to
    connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

    Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
    failed to validate TCP header lengths, potentially leading to a
    use-after-free.  If this module is loaded, it could be used by a
    remote attacker for denial of service or possibly for code
    execution.

CVE-2017-18203

    Hou Tao reported that there was a race condition in creation and
    deletion of device-mapper (DM) devices.  A local user could
    potentially use this for denial of service.

CVE-2017-18216

    Alex Chen reported that the OCFS2 filesystem failed to hold a
    necessary lock during nodemanager sysfs file operations,
    potentially leading to a null pointer dereference.  A local user
    could use this for denial of service.

CVE-2017-18232

    Jason Yan reported a race condition in the SAS (Serial-Attached
    SCSI) subsystem, between probing and destroying a port.  This
    could lead to a deadlock.  A physically present attacker could
    use this to cause a denial of service.

CVE-2017-18241

    Yunlei He reported that the f2fs implementation does not properly
    initialise its state if the "noflush_merge" mount option is used.
    A local user with access to a filesystem mounted with this option
    could use this to cause a denial of service.

CVE-2018-1066

    Dan Aloni reported to Red Hat that the CIFS client implementation
    would dereference a null pointer if the server sent an invalid
    response during NTLMSSP setup negotiation.  This could be used
    by a malicious server for denial of service.

CVE-2018-1068

    The syzkaller tool found that the 32-bit compatibility layer of
    ebtables did not sufficiently validate offset values. On a 64-bit
    kernel, a local user with the CAP_NET_ADMIN capability (in any user
    namespace) could use this to overwrite kernel memory, possibly
    leading to privilege escalation. Debian disables unprivileged user
    namespaces by default.

CVE-2018-1092

    Wen Xu reported that a crafted ext4 filesystem image would
    trigger a null dereference when mounted.  A local user able
    to mount arbitrary filesystems could use this for denial of
    service.

CVE-2018-5332

    Mohamed Ghannam reported that the RDS protocol did not
    sufficiently validate RDMA requests, leading to an out-of-bounds
    write.  A local attacker on a system with the rds module loaded
    could use this for denial of service or possibly for privilege
    escalation.

CVE-2018-5333

    Mohamed Ghannam reported that the RDS protocol did not properly
    handle an error case, leading to a null pointer dereference.  A
    local attacker on a system with the rds module loaded could
    possibly use this for denial of service.

CVE-2018-5750

    Wang Qize reported that the ACPI sbshc driver logged a kernel heap
    address.  This information could aid the exploitation of other
    vulnerabilities.

CVE-2018-5803

    Alexey Kodanev reported that the SCTP protocol did not range-check
    the length of chunks to be created.  A local or remote user could
    use this to cause a denial of service.

CVE-2018-6927

    Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did
    not check for negative parameter values, which might lead to a
    denial of service or other security impact.

CVE-2018-7492

    The syzkaller tool found that the RDS protocol was lacking a null
    pointer check.  A local attacker on a system with the rds module
    loaded could use this for denial of service.

CVE-2018-7566

    Fan LongFei reported a race condition in the ALSA (sound)
    sequencer core, between write and ioctl operations.  This could
    lead to an out-of-bounds access or use-after-free.  A local user
    with access to a sequencer device could use this for denial of
    service or possibly for privilege escalation.

CVE-2018-7740

    Nic Losby reported that the hugetlbfs filesystem's mmap operation
    did not properly range-check the file offset.  A local user with
    access to files on a hugetlbfs filesystem could use this to cause
    a denial of service.

CVE-2018-7757

    Jason Yan reported a memory leak in the SAS (Serial-Attached
    SCSI) subsystem.  A local user on a system with SAS devices
    could use this to cause a denial of service.

CVE-2018-7995

    Seunghun Han reported a race condition in the x86 MCE
    (Machine Check Exception) driver.  This is unlikely to have
    any security impact.

CVE-2018-8781

    Eyal Itkin reported that the udl (DisplayLink) driver's mmap
    operation did not properly range-check the file offset.  A local
    user with access to a udl framebuffer device could exploit this to
    overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

    Dr Silvio Cesare of InfoSect reported that the ncpfs client
    implementation did not validate reply lengths from the server.  An
    ncpfs server could use this to cause a denial of service or
    remote code execution in the client.

CVE-2018-1000004

    Luo Quan reported a race condition in the ALSA (sound) sequencer
    core, between multiple ioctl operations.  This could lead to a
    deadlock or use-after-free.  A local user with access to a
    sequencer device could use this for denial of service or possibly
    for privilege escalation.

CVE-2018-1000199

    Andy Lutomirski discovered that the ptrace subsystem did not
    sufficiently validate hardware breakpoint settings.  Local users    can use this to cause a denial of service, or possibly for
    privilege escalation, on x86 (amd64 and i386) and possibly other
    architectures.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.56-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/source-package/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Debian: DSA-4187-1: linux security update

May 1, 2018
Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks

Summary

CVE-2015-9016

Ming Lei reported a race condition in the multiqueue block layer
(blk-mq). On a system with a driver using blk-mq (mtip32xx,
null_blk, or virtio_blk), a local user might be able to use this
for denial of service or possibly for privilege escalation.

CVE-2017-0861

Robb Glasser reported a potential use-after-free in the ALSA (sound)
PCM core. We believe this was not possible in practice.

CVE-2017-5715

Multiple researchers have discovered a vulnerability in various
processors supporting speculative execution, enabling an attacker
controlling an unprivileged process to read memory from arbitrary
addresses, including from the kernel and all other processes
running on the system.

This specific attack has been named Spectre variant 2 (branch
target injection) and is mitigated for the x86 architecture (amd64
and i386) by using the "retpoline" compiler feature which allows
indirect branches to be isolated from speculative execution.

CVE-2017-5753

Multiple researchers have discovered a vulnerability in various
processors supporting speculative execution, enabling an attacker
controlling an unprivileged process to read memory from arbitrary
addresses, including from the kernel and all other processes
running on the system.

This specific attack has been named Spectre variant 1
(bounds-check bypass) and is mitigated by identifying vulnerable
code sections (array bounds checking followed by array access) and
replacing the array access with the speculation-safe
array_index_nospec() function.

More use sites will be added over time.

CVE-2017-13166

A bug in the 32-bit compatibility layer of the v4l2 ioctl handling
code has been found. Memory protections ensuring user-provided
buffers always point to userland memory were disabled, allowing
destination addresses to be in kernel space. On a 64-bit kernel a
local user with access to a suitable video device can exploit this
to overwrite kernel memory, leading to privilege escalation.

CVE-2017-13220

Al Viro reported that the Bluetooth HIDP implementation could
dereference a pointer before performing the necessary type check.
A local user could use this to cause a denial of service.

CVE-2017-16526

Andrey Konovalov reported that the UWB subsystem may dereference
an invalid pointer in an error case. A local user might be able
to use this for denial of service.

CVE-2017-16911

Secunia Research reported that the USB/IP vhci_hcd driver exposed
kernel heap addresses to local users. This information could aid the
exploitation of other vulnerabilities.

CVE-2017-16912

Secunia Research reported that the USB/IP stub driver failed to
perform a range check on a received packet header field, leading
to an out-of-bounds read. A remote user able to connect to the
USB/IP server could use this for denial of service.

CVE-2017-16913

Secunia Research reported that the USB/IP stub driver failed to
perform a range check on a received packet header field, leading
to excessive memory allocation. A remote user able to connect to
the USB/IP server could use this for denial of service.

CVE-2017-16914

Secunia Research reported that the USB/IP stub driver failed to
check for an invalid combination of fields in a received packet,
leading to a null pointer dereference. A remote user able to
connect to the USB/IP server could use this for denial of service.

CVE-2017-18017

Denys Fedoryshchenko reported that the netfilter xt_TCPMSS module
failed to validate TCP header lengths, potentially leading to a
use-after-free. If this module is loaded, it could be used by a
remote attacker for denial of service or possibly for code
execution.

CVE-2017-18203

Hou Tao reported that there was a race condition in creation and
deletion of device-mapper (DM) devices. A local user could
potentially use this for denial of service.

CVE-2017-18216

Alex Chen reported that the OCFS2 filesystem failed to hold a
necessary lock during nodemanager sysfs file operations,
potentially leading to a null pointer dereference. A local user
could use this for denial of service.

CVE-2017-18232

Jason Yan reported a race condition in the SAS (Serial-Attached
SCSI) subsystem, between probing and destroying a port. This
could lead to a deadlock. A physically present attacker could
use this to cause a denial of service.

CVE-2017-18241

Yunlei He reported that the f2fs implementation does not properly
initialise its state if the "noflush_merge" mount option is used.
A local user with access to a filesystem mounted with this option
could use this to cause a denial of service.

CVE-2018-1066

Dan Aloni reported to Red Hat that the CIFS client implementation
would dereference a null pointer if the server sent an invalid
response during NTLMSSP setup negotiation. This could be used
by a malicious server for denial of service.

CVE-2018-1068

The syzkaller tool found that the 32-bit compatibility layer of
ebtables did not sufficiently validate offset values. On a 64-bit
kernel, a local user with the CAP_NET_ADMIN capability (in any user
namespace) could use this to overwrite kernel memory, possibly
leading to privilege escalation. Debian disables unprivileged user
namespaces by default.

CVE-2018-1092

Wen Xu reported that a crafted ext4 filesystem image would
trigger a null dereference when mounted. A local user able
to mount arbitrary filesystems could use this for denial of
service.

CVE-2018-5332

Mohamed Ghannam reported that the RDS protocol did not
sufficiently validate RDMA requests, leading to an out-of-bounds
write. A local attacker on a system with the rds module loaded
could use this for denial of service or possibly for privilege
escalation.

CVE-2018-5333

Mohamed Ghannam reported that the RDS protocol did not properly
handle an error case, leading to a null pointer dereference. A
local attacker on a system with the rds module loaded could
possibly use this for denial of service.

CVE-2018-5750

Wang Qize reported that the ACPI sbshc driver logged a kernel heap
address. This information could aid the exploitation of other
vulnerabilities.

CVE-2018-5803

Alexey Kodanev reported that the SCTP protocol did not range-check
the length of chunks to be created. A local or remote user could
use this to cause a denial of service.

CVE-2018-6927

Li Jinyue reported that the FUTEX_REQUEUE operation on futexes did
not check for negative parameter values, which might lead to a
denial of service or other security impact.

CVE-2018-7492

The syzkaller tool found that the RDS protocol was lacking a null
pointer check. A local attacker on a system with the rds module
loaded could use this for denial of service.

CVE-2018-7566

Fan LongFei reported a race condition in the ALSA (sound)
sequencer core, between write and ioctl operations. This could
lead to an out-of-bounds access or use-after-free. A local user
with access to a sequencer device could use this for denial of
service or possibly for privilege escalation.

CVE-2018-7740

Nic Losby reported that the hugetlbfs filesystem's mmap operation
did not properly range-check the file offset. A local user with
access to files on a hugetlbfs filesystem could use this to cause
a denial of service.

CVE-2018-7757

Jason Yan reported a memory leak in the SAS (Serial-Attached
SCSI) subsystem. A local user on a system with SAS devices
could use this to cause a denial of service.

CVE-2018-7995

Seunghun Han reported a race condition in the x86 MCE
(Machine Check Exception) driver. This is unlikely to have
any security impact.

CVE-2018-8781

Eyal Itkin reported that the udl (DisplayLink) driver's mmap
operation did not properly range-check the file offset. A local
user with access to a udl framebuffer device could exploit this to
overwrite kernel memory, leading to privilege escalation.

CVE-2018-8822

Dr Silvio Cesare of InfoSect reported that the ncpfs client
implementation did not validate reply lengths from the server. An
ncpfs server could use this to cause a denial of service or
remote code execution in the client.

CVE-2018-1000004

Luo Quan reported a race condition in the ALSA (sound) sequencer
core, between multiple ioctl operations. This could lead to a
deadlock or use-after-free. A local user with access to a
sequencer device could use this for denial of service or possibly
for privilege escalation.

CVE-2018-1000199

Andy Lutomirski discovered that the ptrace subsystem did not
sufficiently validate hardware breakpoint settings. Local users can use this to cause a denial of service, or possibly for
privilege escalation, on x86 (amd64 and i386) and possibly other
architectures.

For the oldstable distribution (jessie), these problems have been fixed
in version 3.16.56-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/source-package/linux

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org

Severity
Several vulnerabilities have been discovered in the Linux kernel that
may lead to a privilege escalation, denial of service or information
leaks.

Related News

5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
Sign Up